0121 222 5630

Email Aristi Ltd Follow Aristi Ltd on Facebook Follow Aristi Ltd on Twitter Follow Aristi Ltd on LinkedIn Follow Aristi Ltd on Google Plus

Insights and Updates.
Made for you.

You are here:
Posted on Monday, 13 March 2017

Are you ready for GDPR?.

Written by

Are you ready for GDPR?

The General Data Protection Regulation (GDPR) is a new legal framework that applies in the UK from May 2018. Regardless of Brexit, The UK Government have confirmed that the decision to leave the EU will not affect the commencement of GDPR.

If you are currently subject to the UK Data Protection Act 1998 (DPA), it is likely that you will be subject to the GDPR. If you currently comply with the DPA then most of your approach to compliance will remain valid for the GDPR, but there are some differences in the new regulation such as:

  • The definition of personal data has been extended to include online identifiers such as IP addresses and cookies;
  • Additional obligations on Data Controllers to ensure contracts with Data Processors comply with the GDPR;
  • Consent requires some form of clear affirmative action and must be verifiable;
  • New provisions for the protection of children’s personal data;
  • New rights for individuals;
  • Enhanced requirements for the implementation of comprehensive but proportionate governance measures to minimise the risk of breaches;
  • A duty on all organisations to report certain types of data breaches;
  • The Data Controller is responsible for and should be able to demonstrate compliance with the GDPR principles.

Failure to comply with the GDPR could result in fines of up to 20 million Euros or 4% of global annual turnover, whichever is greater.

The Information Commissioners Office (ICO) has produced some guidance  for organisations but in summary, a GDPR readiness assessment should be conducted to identify any gaps in compliance and plan your approach to GDPR.

The ICO provides a 12 step approach which is summarised below:

  1. Ensure that senior management are aware of the changes and the impact of GDPR. Many organisations believe that information and its security is the responsibility of IT. The business owns the information within the organisation and the associated security risks. A Senior Information Risk Owner (SIRO) should be assigned by the board to act as the point of contact for risk ownership decision making on behalf of the board (although the bard as a whole is still responsible).
  2. Identify and document the personal data you hold. It is good practice to document all data types (financial, operational etc.) but for GDPR, organisations have a responsibility to ensure personal data is accurate. You can’t do this is you don’t know what personal data you hold. Appoint Information Asset Owners (IAOs), typically heads of business areas/departments to take ownership and accountability for data.
  3. GDPR introduces new requirements for privacy statements i.e. what you should tell people when you collect their personal data such as your legal basis for processing the data, your data retention period and the invidual’s right to complain to the ICO if they believe there is an issue with the way you are handling their data. Review your current privacy notices to identify any gaps in compliance and implement a plan to change them if required.
  4. Check your procedures to ensure all the rights of individuals are covered. The main rights for individuals under GDPR are:
    • Subject access
    • To have inaccuracies corrected
    • To have information deleted
    • To prevent direct marketing
    • To prevent automates decision making and profiling
    • Data portability
  5. Organisations currently have 40 days to respond to subject access requests. This has changed to a month under the GDPR and in most cases, you will not be able to charge for complying with a request. Existing data procedures should be updated to account for the new timescales.
  6. Identify your legal basis for data processing and be prepared to explain it in your privacy notice and when you answer a subject access request. The legal bases in the GDPR are broadly similar as those in the DPA but they should be documented to help with compliance with the accountability requirements.
  7. Review how you are seeking, obtaining and recording consent and whether any changes are required to comply with the GDPR. The main new requirement is that consent has to be a positive indication of agreement to personal data being processed. Consent has to be verifiable and Data Controllers must be able to demonstrate that consent was given.
  8. If you collect personal data on children (probably be defined as anyone under 13) then there are some additional requirements under the GDPR. Consider implementing systems to verify ages and the gathering of parental or guardian consent for data processing. The GDPR puts greater emphasis on the protection of children’s personal data particularly in online environments. Privacy notices must be written in language children will understand.
  9. Ensure you have procedures in place for the detection, reporting and investigation of personal data breaches. Where a breach results in some sort of damage to an individual such as identify theft or unauthorised access to personal data, the breach has to be reported to the ICO. In some cases, you will have to notify the data subject(s) of the breach. Failure to notify of a breach could result in a fine as well as the fine for the breach itself.
  10. Implement a process to conduct Privacy Impact Assessments  to identify the most effective way to comply with data protection obligations and meet individuals’ expectations or privacy. PIAs should be part of organisational risk management and project management processes. Identify conditions for when a PIA is required and who would conduct it.
  11. Assign a Data Protection Officer or someone to take responsibility for data protection compliance. This is a requirement for public authorities or organisations that regularly collect and process large quantities of personal data.
  12. If your organisation operates internationally, determine which data protection supervisory authority the organisation comes under. The lead authority is determined according to where your organisation has its administration or where decisions about data processing are made. This authority would take the lead when investigating a complaint involving data processing in a number of Member States.

If you would like some help with your GDPR readiness assessment, contact us at info@aristi.co.uk or call us on 0121 2225630.

 

 

Harj Singh MBA CLAS CISSP MBCS CITP is a Principle CLAS Consultant at Aristi. Harj has over 20 years of experience in the IT and Security industry gained through technical and managerial roles and has helped clients in government, emergency services and the private sector to develop and implement security strategies and solutions that add value to their business.

GET
IN TOUCH

Please contact Aristi to discuss your requirements. Filling in the form below is the quickest way to get in touch with the relevant person at Aristi.

CONNECT
WITH US

Keep up-to-date with insights and info on all areas of Information Assurance, Information Security, Penetration Testing & Data Sharing from the award-winning consultants Aristi.

Latest Tweets

Cyber security firm offers free GDPR seminars | GBCCBirmingham-based data protection and cyber security specialists… https://t.co/BtNQx4ORts
Virtual Data Protection Officer https://t.co/Lp0sA0A0uT
We Are Recruiting! https://t.co/GCS23Qnofm

Subscribe to our Newsletter

Latest Blog Posts

  • Virtual Data Protection Officer

    Share the post “Virtual Data Protection Officer” FacebookGoogle+LinkedInTwitter The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. To support your on going GDPR compliance and management requirements, we can provide a Virtual Data Protection […]

    Written on Thursday, 10 May 2018
  • Protecting Businesses with Cyber Essentials

    Share the post “Protecting Businesses with Cyber Essentials” FacebookGoogle+LinkedInTwitter The lack of basic cyber security controls remains a significant factor in the vast majority of cyber attacks in the UK today. Businesses are left worried about hackers, data loss and security, and are not sure where to turn. The scale of the threat is nothing […]

    Written on Monday, 05 March 2018
  • Are Phishing Emails still a problem?

    Share the post “Are Phishing Emails still a problem?” FacebookGoogle+LinkedInTwitter There is so much technology and software available these days, preventing malware and malicious emails from getting into our systems that you have to ask are phishing emails still a problem? One of the most used communication technologies is still email due to its versatility […]

    Written on Friday, 02 March 2018